#!/bin/bash
#######################################################
# $Name:         nginx-ssl.sh
# $Version:      v1.0
# $Function:     基于nginx一键部署https
# $Author:       Ropon
# $organization: west.cn
# $Create Date:  2017-3-10
# $Description:  1、基于nginx自动部署https，自动设置301
#                2、自动判断是否升级nginx和openssl
#                3、支持wdcp或其他已安装好nginx环境
#                4、部署后nginx配置文件推荐放到/home/nginx-vhost/目录下(可选)
#                5、证书路径/home/ssl 以域名命名www.test.com.crt www.test.com.key
#                6、部署后nginx站点配置文件名为test.com_ssl.conf
#######################################################
# Shell Env
SHELL_NAME="nginx-ssl.sh"
SHELL_DIR="/root"
SHELL_LOG="${SHELL_DIR}/${SHELL_NAME}.log"
LOCK_FILE="/tmp/${SHELL_NAME}.lock"
function myi18n(){
	if [[ "$#" -ne 1 ]]
	then
		echo "demo"
	fi
	if [[ $LANG =~ [Uu][Tt][Ff] ]]
	then
		echo "$1" 
	else
		echo "$1" | iconv -f utf-8 -t gbk
	fi
}
#Write Log 
shell_log(){
    LOG_INFO=$1
    myi18n "$(date "+%Y-%m-%d") $(date "+%H-%M-%S") : ${SHELL_NAME} : ${LOG_INFO}" >> ${SHELL_LOG}
}
shell_lock(){
    touch ${LOCK_FILE}
}
shell_unlock(){
    rm -f ${LOCK_FILE}
}
shell_log "信息：脚本开始运行"
homeconfpath=/home/nginx-ssl/conf
if [ ! -d "$homeconfpath" ];then
	myi18n "请输入nginx安装路径，比如：/usr/local/nginx"
	myi18n "如果使用wdcp环境，请直接回车"
	read -p ": " confpath
	if [ -z "$confpath" ] ;then
		confpath=/www/wdlinux/nginx
	fi
	confpath1=${confpath}/conf
	while [ ! -d "$confpath1" ] 
	do
		myi18n "您输入路径${confpath1}不存在，请重新输入"
		shell_log "错误：您输入路径${confpath1}不存在，请重新输入"
		read -p ": " confpath
		if [ -z "$confpath" ] ;then
			confpath=/www/wdlinux/nginx
		fi
		confpath1=${confpath}/conf
	done
	temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
	while ([ -z $temp ] || [ ! -f "$temp" ]) 
	do
		myi18n "nginx安装路径不对，请重新输入"
		shell_log "错误：${confpath1} 路径下没有找到nginx.conf，请检查"
		echo
		read -p ": " confpath
		if [ -z $confpath ] ;then
			confpath=/www/wdlinux/nginx
			wdcp=y
		fi
		confpath1=${confpath}/conf
		temp=`find $confpath1 -maxdepth 1 -name 'nginx.conf'`
	done
	shell_log "信息：nginx配置文件路径 ${confpath1}"
	myi18n "是否一键移动nginx配置文件到/home/nginx目录下并创建好软连接"
	read -p "[y/n]: " conf_move
	while [[ ! $conf_move =~ ^[y,n]$ ]] 
	do
		echo "input error! Please only input 'y' or 'n'"
		echo
		read -p "[y/n]: " conf_move
	done
	if [ "$conf_move" == 'y' ] ;then
		if [ ! -d "$homeconfpath" ];then
			mkdir -p $homeconfpath
			cp -rf ${confpath}/conf/* $homeconfpath
			cd $confpath
			mv conf/ conf-bak/
			ln -sf $homeconfpath conf
			if [ "$wdcp" == 'y' ] ;then
				chown wdcpu.wdcpg $homeconfpath -R
			fi
		fi
	else
		homeconfpath=${confpath}/conf
	fi
else	
	echo
	myi18n "自动搜索到：nginx配置文件路径为 ${homeconfpath}"
	shell_log "信息：自动搜索到：nginx配置文件路径为 ${homeconfpath}"
	echo	
fi
if [ -d "/www/wdlinux/nginx" ] ;then
	wdcp=y
	myi18n "使用wdcp环境，nginx版本为"
	/www/wdlinux/nginx/sbin/nginx -v 2>&1|awk -F '/' '{print $2}'
	shell_log "信息：当前使用wdcp环境"
fi
shell_log "信息：nginx的vhost文件路径 ${homeconfpath}"
homesslpath=/home/ssl
[ ! -d "$homesslpath" ] && mkdir -p $homesslpath
shell_log "信息：ssl证书存放路径 ${homesslpath}"
pushd ${homeconfpath}/vhost/

myi18n "请输入需要安装证书站点绑定的域名，比如：www.test.com"
myi18n "如果二级域名有绑定到其他站点，请使用www.test.com，不要输入顶级域名"
read -p ": " domain
while [ -z $domain ] 
do
	myi18n "域名不能为空，请重新输入。"
	echo
	read -p ": " domain
done
files=`grep -l " ${domain}" *.conf|awk 'NR==1{print}'|sed 's/\.conf//'`
if  [ ! -n "$files" ] ;then
	echo
	echo ${domain}
	myi18n "关联站点，没有找到！"
	shell_log "警告：没有找到域名 ${domain} 对应配置文件"
	echo
	exit 1
fi
files1=${homeconfpath}/vhost/${files}.conf
shell_log "信息：要部署域名 ${domain} 的配置文件是  ${files1}"
sslfile=${homeconfpath}/vhost/${files}_ssl.conf
if [ -f "$sslfile" ];then
	crt=`grep -E 'ssl_certificate' ${sslfile}|awk -F 'ssl_certificate ' '{print $2}'|awk 'NR==1{print}'|sed 's/\;//'`
	key=`grep -E 'ssl_certificate_key' ${sslfile}|awk -F 'ssl_certificate_key ' '{print $2}'|sed 's/\;//'`
	if [ -f "$crt" ] && [ -f "$key" ];then
		echo
		echo ${domain}
		myi18n "关联站点证书已安装！"
		shell_log "警告：域名 ${domain} 已成功部署"
		echo
		exit 1
	fi
	echo
	echo ${domain}
	myi18n "关联站点ssl配置文件已存在，是否需要删除？"
	read -p "[y/n]: " ssl_check
	while [[ ! $ssl_check =~ ^[y,n]$ ]] 
	do
		echo "input error! Please only input 'y' or 'n'"
		echo
		read -p "[y/n]: " ssl_check
	done
	if [ "$ssl_check" == 'y' ];then
		rm -rf $sslfile
	else
		echo
		echo ${domain}
		myi18n "已存在ssl配置文件，请核实后重新运行程序。"
		shell_log "警告：要部署域名 ${domain} 已存在部署后配置文件 ${sslfile}"
		exit 1
	fi
fi
temp12=`grep -E 'https://' ${files1}`
if  [ -n "$temp12" ] ;then
	echo
	echo ${domain}
	myi18n "对应配置文件存在301转向(return 301)，是否需要删除？"
	read -p "[y/n]: " s_check
	while [[ ! $s_check =~ ^[y,n]$ ]] 
	do
		echo "input error! Please only input 'y' or 'n'"
		echo
		read -p "[y/n]: " s_check
	done
	if [ "$s_check" == 'y' ];then
		sed -i '/^.*return.*301 https/d' $files1
	else
		echo
		echo ${domain}
		myi18n "域名 ${domain} 对应配置文件${files}存在301转向，请先删除对应行"
		shell_log "警告：域名 ${domain} 对应配置文件${files}存在301转向，请先删除对应行"
		exit 1
	fi
fi
crt1=${homesslpath}/${domain}.crt
key1=${homesslpath}/${domain}.key
if [ ! -f "$crt1" ];then
	myi18n "我司申请在nginx上部署需要先合并，请输入y或者n？"
	read -p "[y/n]: " crt_yn
	while [[ ! $crt_yn =~ ^[y,n]$ ]] 
	do
		echo "input error! Please only input 'y' or 'n'"
		echo
		read -p "[y/n]: " crt_yn
	done
	if [ "$crt_yn" == 'y' ] ;then
		myi18n "请依次输入需要合并证书路径，注意先后顺序:eg /root/test.com.cer"
		myi18n "/root/test.com.cer"
		myi18n "/root/test.com_ca.crt"
		read -p "Please reinput crtpath1 : " crtpath1
		read -p "Please reinput crtpath2 : " crtpath2
		while ([ -z "$crtpath1" ] || [ ! -f "$crtpath1" ]) 
		do
			myi18n "需要合并证书1不能为空或路径错误，请重新输入。"
			shell_log "警告：需要合并证书1 ${crtpath1} 为空或路径错误"
			echo
			read -p ": " crtpath1
		done
		while ([ -z "$crtpath2" ] || [ ! -f "$crtpath2" ]) 
		do
			myi18n "需要合并证书2不能为空或路径错误，请重新输入。"
			shell_log "警告：需要合并证书2 ${crtpath2} 为空或路径错误"
			echo
			read -p ": " crtpath2
		done
		shell_log "信息：域名 ${domain} 需要合并证书1 ${crtpath1}"
		shell_log "信息：域名 ${domain} 需要合并证书2 ${crtpath2}"
		cat $crtpath1 $crtpath2 >> ~/$domain.crt
		crtpath=~/${domain}.crt
	else
		myi18n "请输入需要安装证书路径:eg /root/test.com.crt"
		read -p "Please reinput crtpath : " crtpath
		while ([ -z "$crtpath" ] || [ ! -f "$crtpath" ])
		do
			myi18n "crt证书路径不能为空或路径错误，请重新输入。"
			shell_log "警告：crt证书路径 ${crtpath} 为空或路径错误"
			echo
			read -p ": " crtpath
		done
	fi
	cp ${crtpath} ${homesslpath}/${domain}.crt
else
	echo
	myi18n "自动搜索到：域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
	shell_log "信息：自动搜索到：域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
	echo
fi
if [ ! -f "$key1" ];then
	myi18n "请输入需要安装证书路径:eg /root/test.com.key"
	read -p "Please reinput keypath : " keypath
	while ([ -z "$keypath" ] || [ ! -f "$keypath" ])
	do
		myi18n "key证书路径不能为空或路径错误，请重新输入。"
		shell_log "警告：key证书路径 ${keypath} 为空或路径错误"
		echo
		read -p ": " keypath
	done
	cp ${keypath} ${homesslpath}/${domain}.key
else
	echo
	myi18n "自动搜索到：域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
	shell_log "信息：自动搜索到：域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
	echo
fi
shell_log "信息：域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
shell_log "信息：域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
cp ${files}".conf" ${homeconfpath}/vhost/${files}"_ssl.conf"
shell_log "信息：域名 ${domain} 部署后 ssl配置文件为 ${homeconfpath}/${files}_ssl.conf"
if [ "$wdcp" == 'y' ] ;then
	chown wdcpu.wdcpg * -R
	shell_log "信息：核实为wdcp环境，设置${homeconfpath} 所有者及所属组为wdcpu.wdcpg"
fi

sed -i "s/80/443 ssl/g" ${sslfile}
sed -i "/root/a\	ssl_certificate $crt1;" ${sslfile}
sed -i "/ssl_certificate/a\	ssl_certificate_key $key1;" ${sslfile}
sed -i "/ssl_certificate_key/a\	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" ${sslfile}
sed -i "/ssl_protocols/a\	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;" ${sslfile}          
myi18n "是否需要一键设置301转向，请输入y或者n？"
read -p "[y/n]: " zx_yn
while [[ ! $zx_yn =~ ^[y,n]$ ]] 
do
	echo "input error! Please only input 'y' or 'n'"
	echo
	read -p "[y/n]: " zx_yn
done
if [ "$zx_yn" == 'y' ] ;then
	myi18n "请输入跳转后地址比如："
	read -p "${domain}: " server_name1
	if [ -z $server_name1 ] ;then
		server_name1='$server_name'
	fi
	request_uri1='$request_uri'
	sed -i "/server_name/a\	return	301 https://$server_name1$request_uri1;" ${files1}
	shell_log "信息：域名 ${domain} 已设置301跳转到https://${server_name1}${request_uri1}  ${files1}"
fi
service nginxd restart
echo
echo ${domain} 
myi18n "关联站点证书已安装完成！"
myi18n "证书文件存放/home/ssl，以域名方式命名。"
cp -rf ${homeconfpath}/vhost /home/nginx-vhost-bak
if [ "$wdcp" == 'y' ] ;then
	myi18n "同时已备份当前nginx配置文件到/home/nginx-vhost-bak"
fi
myi18n "如果使用wdcp环境，请不要登录wdcp切换web引擎，否则配置文件将被覆盖！"
echo "https://${domain}"
myi18n "域名 ${domain} 证书crt文件路径为 ${homesslpath}/${domain}.crt"
myi18n "域名 ${domain} 证书key文件路径为 ${homesslpath}/${domain}.key"
echo 
shell_log "信息：${domain} 关联站点证书已安装完成"
pushd /root/
if [ "$wdcp" == 'y' ] && [ ! -d /www/wdlinux/nginx-1.10.2 ] ;then
	myi18n "核实nginx和openssl版本较低，若要通过苹果ats认证，请升级"
	function homemove(){
		confpath=/www/wdlinux/nginx
		if [ "${homeconfpath}" == "/www/wdlinux/nginx/conf" ] ;then
			echo $homeconfpath;
			myi18n "不需要移动配置文件"
		else
			cp -rf ${confpath}/conf/* $homeconfpath
			cd $confpath
			mv conf/ conf-bak/
			ln -sf $homeconfpath conf
			chown wdcpu.wdcpg $homeconfpath -R
		fi
	}
	read -p "[y/n]: " update
	while [[ ! $update =~ ^[y,n]$ ]] 
	do
		echo "input error! Please only input 'y' or 'n'"
		echo
		read -p "[y/n]: " update
	done
	if [ "$update" == 'y' ];then
		wget http://downinfo.myhostadmin.net/wdcp/nginx_up.sh
		sh nginx_up.sh
		homemove
		shell_log "信息：核实为wdcp环境，已选择升级nginx和OpenSSL"
	fi
fi
shell_log "信息：脚本正常退出"
echo "test"